Biometric authentication (e.g., fingerprint biometric authentication on mobile devices in the payment context) has gained some popularity recently with the advent of the Fast Identity Online (FIDO) standard and adoption by various peer-to-peer payment providers in their online checkout flow. Biometrics are powerful authentication methods; however; biometric identifiers carry an underappreciated danger when the signature that identifies “you” is compromised. The danger is a far greater threat than simply losing a password.
A common perception is that fingerprint authentication is relatively secure, however; this is often not the case. Fingerprints are unwittingly left accessible in public areas, such as by merely touching objects. Moreover, facsimiles of one's fingerprint can be easily and quickly reproduced to spoof fingerprint reading devices. This poses a security risk for those who lose track of a fingerprint authentication device, as systems can be compromised. What is needed is a convenient, unique personal identifier whose use is insulated from misuse.